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Insecure Apps & 
APIs are a Problem Web Applications are 


Being Targeted 


> Most common data breach pattern * 


Your business depends on web 
applications > Top hacking vector * 


Any app or API can be a foothold into 


you ro rga N i zatio n U.S. Postal Service (API).......... 


Developers are not incentivized for MyFitnessPal (AP 
security Equifax. 


Cloud-based apps are easy for Ashley Madison 
developers to deploy 
* Source: 2018 Verizon DBIR 


Apps & APIs are 


Everywhere 


Public-Facing 
Web Apps 


Internal Web Apps 


Google Cloud Platform 


Microsoft 
Azure 


Apps in Public Clouds 


(e) 


REST APls 


New Apps 
under Development 
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Web Application Scanning 


Review 


Qualys Web Application Scanning 


A leading dynamic application security 
testing (DAST) tool s 
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http://2k3r2-sp1-32bit.vuln.qa.qualys.com:8080 


IP address: 10.10.24 112, FODN: 213/2-Sp1-3204 vuln qa qualys com 


Undated by 1 23 Aug 2017 304eM GUT-0600 | (CE 


stem: Windows Server 2003 R2 Service Pack 1 


Systom 23 Aug 2017 
Web Application added from scan consolidated cata from VM 


Includes automated crawling 


Supports Selenium scripts | 
Malware monitoring as a bonus 


Built for the Enterprise 


(O) | (e) | @) ; | FE ) 
Web App Discovery Scheduled scans Massive scalability Robust API 
Unlimited scans & Ad-hoc, targeted Detection history CI/CD integration 
users scans Scheduled reports Unique integration 
RBAC Multi-site scans Customizable w/Qualys WAF 
Tagging Retest vulnerability 


reports 


Scan for malware Swagger support 


Integration with 


manual pen testing 
tools 
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What's New in Qualys WAS 


Scanning REST APIS Swagger is specification that 


o 


describes a set of REST APIs 


Swagger file typically 
available from dev team 


Set Swagger file as target 
Liu URL in Qualys WAS 


swagger.io 


API endpoints are 


422 OPENAPI automatically tested for 


vulnerabilities 


https:// 
www.openapis.or 


Swagger v2 JSON format 


currently supported 
Q Qualys. 


Jenkins Plugin for WAS 


® Jenkins 


Acme Application 


2% snippet Generator 

© Step Reference 

© Global Variables Reference 
© Online Documentation 


IntelliJ IDEA GDSL 


dmin — | log out 
Pipeline Syntax 


Overview 


This Snippet Generator will help you leam the Pipeline Script code which can be used to define various steps. Pick a step you are 


interested in from the list, configure it, click Generate Pipeline Script, and you will see a Pipeline Script statement that would call the 
step with that configuration. You may copy and paste the whole statement into your script, or pick up just the options you care about 


(Most parameters are optional and can be omitted in your script, leaving them at default values.) 
Steps 


Sample Step avalysWASScan: Qualys WAS Plugin for Jenkins 
Qualys 


API Login 


Provide details for accessing the Qualys Container Security API 


API Server URL https://qualysapi.qualys.com 
— 


Example: https://qualysapi.qualys.com. (Ref 


API Username: quays_aa12 


API Password 


O Use Proxy Settings 


Connection test successful! Test Connection 


h-Soon-ADI Doromatasa. 


Manual Testing Complements WAS 


Dynamic application testing is one plece of the AppSec 
puzzle 


Manual penetration testing important for your business- 
critical apps 


Qualys WAS offers: 
Bugcrowa integration 
Burp Suite integration 


Partnershios with consulting shops 
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Bi-directional Integration with 
Bugcrowd 


bugcrowd 


J 
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Qualys WAS Burp Extension 


GE » © 


Burp Suite Web Application Scanning 


À quick, intuitive way to send Burp-discovered issues into 
WAS 


Provides centralized viewing/reporting of WAS detections + 
Burp Issues 


Available in Burp's BApp Store 
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Qualys WAS Burp extension 


Burp Project Intruder Repeater Window Help 


[Dashboard | Target | Proxy | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Qualys WAS | Attack Surface Detector 


[Extensions | Bapp'Store | APIs | Options | 


‘The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities, 


Name Installed | Rating Popularity | Lastupdated | Detail 


vA De M Qualys 


PeopleSoft Token Extractor 11 Jan 2018 
PHP Object Injection Check 01Jun 2018 Pro extension The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web 
Postman Integration 18 Sep 2018 Application Scanning (WAS) module within the Qualys Cloud Platform. As a Qualys WAS customer, you 
Protobuf Decoder 20 Apr 2017 can then view and report Burp issues alongside WAS findings for a more complete picture of your web 
Proy Adion Rides 12 Jan 2018 application's security posture. 

Proxy Auto Config 24 Oct 2018 To learn more about Qualys WAS, its integration with Burp, and the additional security and compliance 
PsychoPATH 28 Jun 2018 solutions available in the Qualys Cloud Platform, please visit 

Python Scripter 28 Sep 2017 

Qualys WAS 06 Aug 2018 Pro extension 
Random IP Address Header 01 Jul 2014 

Reflected File Download C. 24 Jan 2017 

Reflected Parameters 10Nov2014 Pro extension Qua MAS mace cias AP 
Reissue Request Scripter 23 Dec 2016 
Replicator 15 Feb 2018 
Report To Elastic Search 10May2017 Pro extension e Straightforward setup and usage 
Request Highlighter 23 Jul 2018 
Request Minimizer 25 Jun 2018 
Request Randomizer 24 Jan 2017 Selected Burp scanner finding(s) exported to Qualys WAS via context menu 
Request Timer 08 Nov2017 
Response Clusterei 05 Feb 2017 
Retire js 29Jun2018 Pro extension Option to purge or close existing Burp issues in WAS 
Reverse Proxy Detector 13 Feb 2017 
Same Origin Method Execu 26 Jan 2017 
SAML Editor 01 Jul 2014 Usage: 
SAML Encoder / Decoder 01 Jul 2014 
SAML Raider 04 Nov 2016 1. Add the extension to your instance of Burp Suite Professional by installing directly from the 
SAMLReQuest 06 Feb 2017 BApp Store" tab within Burp or by loading the jar file from the Extensions tab. 

Scan Check Builder 300ct2018 Pro extension 
Scan manual insertion point 24 May 2017 


Requirements: 


e Burp Suite Professional 1.7 or later 


Features: 


‘© Supports all Qualys shared platforms as well as private cloud platforms 


Upstream proxy server settings in Burp are honored automatically 


Written in Java 


2. Inthe “Qualys WAS" tab, select the appropriate Qualys platform for your subscription and enter 
your Qualys username & password. 


{ Retteshiist | [Manual instal 


WAS Enhancements, YTD 


Sept 2018 : 
April 2018 June 2018 Browser engine 2018 : 2 
Swagger SSTI upgrade : 
Jenkins plugin Header injection XSS Power Mode 
Qualys Browser WebLogic RCE Tag apps upon import 
Recorder RichFaces RCE ESI injection 
Test Authentication "Spring Break" WebSocket detection 
Exclude darameters PrimeFdces RCE 
Jan 2018 May 2018 July 2018 Oct 2018 
CMS vulns Added CSV v2 Burp extension Blueimp file upload 
Multi-scan alerts report Results for cancelled scans Telerik crypto flaw 
Update QID Add'l CMS vulns Improved scan status 
mappings to 2017 Scan settings snapshot 
OWASP Top 10 Retest multiple findings 
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Qualys WAS Roadmap 


Feb-Mar 2019 
: TLS 13 support 
2018 : 2019 SSL/TLS detections 
: Out-of-band detections 
Security header tests 
Enhanced crawling 
CyberArk PIM integration 


Dec 2018 : Jan 2019 Q2-Q3 2019 
Blind XPATH injection : Custom scan Elasticsearch 
Improved KB search : intensity New dashboard 
Custom report footer : Jenkins plugin v2 Ul modernization 
Burp & Bugcrowd findings added to : Support OpenAPI v3 
report Support Postman 
Ignore finding time limit Collections 


“Launch Now” for scheduled report 
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oming in 2019 


Qualys. 


API Security N JON Remi Le Mer (quays_r158 


Wi 


API 


Video Tutorials 


Get started with these quick steps 


Configure API Collections > 


Assess your API Collections > Related Community Posts 
7 Tweets 


Scan your API for compliancy » Qualys © 
API e 


Scan your API for vulnerability > 
e APle 


Sirateges and Bost Prachcen 


Configure API Enpoints > 


Web Application Firewall 


Review 


Qualys WAF 


Integration with WAS 
Architecture improvements 
Integration with Docker 
Security Improvements 
Roadmap - standalone 
Roadmap - Integrated Suite 


Dashboard - All Web Applications A Vi Roplications [Lat 30 
Nom 08 Oct 2018 - Wed 07 Nov 2018 TA] w a 


Event Summary Events Traffic Origins 


um S 
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WAS / WAF Integration: ScanTrus 


ScanTrust : Challenge your WAF protection 
Assess both the application and the policy that protects it 


agement Detection List Burp Bugcrowd 
-demo.qualys.com X cO [ Status QID Name Group * LastDetected Age Patch Severity 
a Filter Results (ALTA [^] Protected x © Blind SQL Injection dei tu tu mi e] 
http://waf-demo. qualys. com/bodgeit/login jsp 
Confirmed Vulnerability Level 
[E] Protected 012 © Blind SQL Injection NENNEN 
1020304 m5 Htip:iwat-demo.qualys.combodgeltfiogin Jep. 
Potential Vulnerability Level [M] Protected 150001 © Reflected Cross-Site Scripting (XSS) Vulnerabilities EBENEN 
waf-demo qu eit/search jsp 
1 02 03 04 ms 
F Protected x © Browser-Specific Cross-Site Scripting Vulnerabilities E let i be ut c 
Sensitive Content Level hitp:/waf-demo.qualys.convbodgeit/search jsp 
102030405 [1 Fixed 001 @ Reflected Cross-Site Scripting (XSS) Vulnerabilities ES 15 WIN 
http://waf-demo.q ys.com/search.jsp 
Information Gathered Level E x 
[V] New 150001 © Reflected Cross-Site Scripting (XSS) Vulnerabilities DATES 716 dt gs e ai al 
dat 1227 1351 122719 http/waf-demo. qualys.com/search jsp View | 
Status Ignore 
New 
Bee Install Patch 
Re-Opened 
[] Protected Edit Severity 
Fixed 
Group External References 


WAS / WAF Integration: Virtual 
Patch. : One-click mitigation tool for CISO teams 


Run from within WAS to address confirmed threats 


We'll automatically add a virtual patch rule to your WAF to block exploitation of the selected vulnerability on your web application. You can 
easily remove the virtual patch (and rule) at any time either here or from the WAF management interface. 


j Status Patch Severity 

2 View Detection E 

New Patch Details TITI. 
b 
New When request.header.content-type MATCH ".*\%.*\{.*multipart/form-data$" | add | di 
vow À + Eure can. — 
2 RE De 

New PES ESE] 


3 (request header] Content-Type DETECT 150173 
DEM RR MATCH admis oan 


What's New in Qualys WAF 


Supported 
PI a t fo rm S Select Virtual Appliance Image E 


Choose the virtualization platform you want to use to run your WAF appliance on. 


Platform Details 


© ig VMware Standard VMware virtualization platform 


Shared and Private 


O am Hyper-V Microsoft Hyper-V 5.1 virtualization platform 
Qualys Cloud Platforms pe 
O In [E Amazon EC2 Amazon EC2-Classic, Amazon EC2-VPC 
O VAN Microsoft Azure Microsoft Azure platform 


Google Cloud platform 


Docker platform 


Cancel Previous | 
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WAF Architecture Improvements 


Easy and Usable Architecture 


Virtual Reverse-Proxy 


Cluster-able within hybrid topologies 9 € © © © (e 
Load-Balancing capabilities 


So ls cloner suite cardo res 
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WAF Architecture Improvements 


Virtual Appliance & Container (v1.5.3) 


XML/JSON content inspection 


Docker Host integration for backend automation 


Better performance doc ker 


Scheduled upgrades 


Orchestration via Qualys API 
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Docker Single Host 


docker CLI : „| Access to docker services 
n= via unix sockets 


> docker 


Controls : 
- containers (start | stop | delete | inspect) 


- networks : 7*| Stores images 


- images (pull | push | delete) 


die ct ei à 


/ Container ^ | / Container `ò 
| 
#2 #2 


Continuous Security 


| 
| 
| 
| Qualys. 
| 
| 


| 
| 
| 
| 
| 
| 
X 
} Web App 
IA. B J 


AAA A pz 


| | 
| | 
| | 
| | 
| | 
| | 
Woo App | 
| 

\ 
Docker network 


Physical network 


| | © Qualys 


M u It | le H O st S ccess to docker services 
D ocker AS A e ? via een 
# 


ae 


Container 
#1 


© 


Web App 
e 


Physical network | | Physical network | | Physical network 


9 — ya 9 


Security Improvements 


Custom Rules: write and manage your own filters 
XML/JSON inspection 
Virtual Patches and Event Exceptions 
Latency control 
Rewriting capabilities (headers) 


Qualys Rulesets and Templates 
DAG based inspection, programmable logic 
Drupal 8.0.x, Joomla 3.4.x, Magento 2.5-2.6, Wordpress 4.2.x-4.3.x 
JBoss 4 x-7 x, OWA 2010-2077 Sharepoint 2010-2017, Tomcat 80x 
Qualys Generics for unknown apps 
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Qualys WAF Roadmap 


WAF Roadmap - Standalone 


2018 : 2019 Mar 2019 Q3 2019 
: Templates Appliance empowered 
API Generics, Microsoft with 
ADFS, JD Edwards Network Clustering 
Dec 2018 : Jan 2019 Q2 2019 Q4 2019 
New Custom Rules keys i Appliance Major Release Customizable Dashboard Traffic Management 
+Community Library : (v1.6.0) Alert Reports ddos 
Revamped Security MS HTTP/2, Improved RBAC ip-reputation 
Events : Improved network Bots 
“management capabilities Scraping 


Enriched CLI and local 
events logs 
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WAF Roadmap - Integrated Suite 


2018 : 2019 
Mar 2019 Q3 2019 
WAS reports with Virtual Patch supports 
ScanTrust details Burp and Bug Bounties 
Dec 2018 : Jan 2019 Q2 2019 Q4 2019 
Al - Feed Application |: UD - WAF widgets and App's Sitemap v2 CV - fetch app's 
inventory with backend  : queries (WAS & WAF) grade and patch 
information : Sol 
: ScanTrust enabled on implementation 
VM 
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